[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3776-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Dec 31 08:05:33 PST 2018 

Synopsis: USN-3776-1 can now be patched using Ksplice
CVEs: CVE-2017-18216 CVE-2017-5715 CVE-2017-5753 CVE-2018-10878 CVE-2018-10902 CVE-2018-14633 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-17182 CVE-2018-6554 CVE-2018-6555

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3776-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information disclosure in AIX partition parsing.

A lack of correct string termination can result in uninitialised memory
being disclosed from the kernel. A local user with the ability to mount
a disk image could use this flaw to facilitate a further attack.


* CVE-2018-6554: Denial-of-service in IRDA socket binding.

Repeated calls to bind() on an IRDA socket could cause a memory leak
resulting in a denial of service by a local, unprivileged user.


* CVE-2018-6555: Privilege escalation in IRDA setsockopt().

Missing liveness checks could result in a use-after-free when performing
setsockopt() on an IRDA socket.  A local, unprivileged user could use
this flaw to corrupt kernel memory and potentially escalate privileges.


* Improved fix for CVE-2018-10878: Out-of-bounds access when initializing ext4 block bitmap.

A logic error in the previous fix for CVE-2018-10878 prevented mounting ext4
filesystems with metablock groups enabled.


* Denial-of-service in IBM ASM Service Processor read handler.

A logic error in the ibmasm driver could allow the code to write outside
the bounds of a given buffer, leading to kernel or userspace memory
corruption and possible kernel panic.  This could be used to cause a
denial-of-service.


* Information leak in USB serial error handling.

A failure to properly check boundaries could lead to leaking kernel
memory to user space.


* CVE-2018-16276: Privilege escalation in USB Yurex read handler.

A logic error in the USB Yurex read handler code could allow the driver
to access userspace memory outside the bounds of the userspace buffer,
potentially leading to memory corruption or privilege escalation inside
userspace.


* Denial-of-service with multiple loop devices.

Improper device validation in the loop code could lead to an infinite
loop when accessing all of the loop file descriptors.  This could be
exploited to cause a denial-of-service.


* CVE-2017-18216: NULL pointer dereference while deleting OCFS2 node.

A race condition when deleting OCFS2 node could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Improved fix for Spectre v1: Additional bounds-check bypass in ZeitNet ZN1221/ZN1225 driver.

A missing sanitization of array index after bounds check in ZeitNet
ZN1221/ZN1225 driver could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* NULL pointer dereference when setting backend in Host kernel accelerator for virtio net.

A missing check in error path when setting backend in Host kernel
accelerator for virtio net could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.

A missing sanitization of array index after bounds check in Chelsio
Communications T3 10Gb Ethernet driver could lead to an information
leak. A local attacker could use this flaw to leak information about
running system.


* Use-after-free in ebtables evaluation loop.

A missing check in ebtables evaluation loop could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption.  This could be exploited to cause a denial-of-service.


* Denial-of-service in non-hierarchical memory cgroup iteration.

A logic error in the memory cgroup code could lead to kernel memory
corruption and a kernel crash when iterating over cgroups.  This could
be exploited to cause a denial-of-service.


* CVE-2018-14633: Denial-of-service in iSCSI target authentication.

Incorrect validation of iSCSI authentication information can result in a
stack buffer overflow and lead to a kernel crash.  An unauthenticated,
remote attacker could use this flaw to cause a denial-of-service.


* Information leak in compatibility syscalls.

Missing register clearing when performing a 32-bit compatibility system
call could result in an increased attack surface for Spectre based
speculation attacks.


* Note: Oracle will not be providing a zero downtime update for CVE-2018-15594

CVE-2018-15594 is a Spectre v2 leak in paravirt kernels.  This impacts
Xen and KVM VM guest kernels where retpoline is used as the Spectre v2
mitigation.  Enabling IBRS for Spectre v2 mitigation or upgrading to a
newer kernel mitigates CVE-2018-15594.


* Improved fix to CVE-2017-5753: Speculative execution in eBPF programs.

Missing checks in the eBPF verifier could result in speculative memory
accesses allowing a user with the ability to load eBPF programs to leak
the contents of sensitive memory.


* Denial-of-service in FAT filesystem option parsing.

Missing error handling when parsing filesystem options for a FAT
filesystem could result in a double free.  A local user with permissions
to mount filesystems could use this flaw to crash the system.


* Denial-of-service in KVM KVM_IRQFD ioctl().

Missing synchronization when assigning an deassigning a KVM IRQ eventfd
instance could result in a use-after-free and kernel crash, or
potentially, escalation of privileges.


* Denial-of-service in DCCP timestamps.

Invalid clock selection could allow a malicious local user to cause
integer overflows when handling DCCP packet reception causing a denial
of service.


* Denial-of-service in DCCP CCID-3 feedback.

An invalid kernel assertion could cause a kernel crash when processing
DCCP CCID-3 packets on an especially fast host or with a malicious
remote user.


* CVE-2018-15572: Information leak in context switches (SpectreRSB).

Missing RSB fills on some CPU families during context switch could allow
leaking of information between processes with a Spectre v2 attack.


* Improved fix for CVE-2017-5715: Privilege escalation when making firmware calls.

Speculative execution by utilizing branch target injection (Spectre
variant 2) when making firmware calls allows an unprivileged local user
to read arbitrary kernel memory. This may be exploited to escalate
privilege.


* CVE-2018-17182: Privilege escalation in VMA cache flushing.

A failure to correctly invalidate the VMA cache when an integer overflow
occurs can result in a use-after-free. An unprivileged local user could
use this flaw to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list